Trying hundreds or thousands of hashes against the servers of random unconsenting people on the internet is beyond what I would be comfortable with. People have been prosecuted for less. It’s not the same as a crawler where you try a few well known locations and follow links. You’re trying to gain access to a system that somebody did not intend for you to have access to.

These endpoints probably don’t have protection because they were never designed to and it’s hard to add it later. Theoretically, if the IDs are random that’s probably good enough except that you wouldn’t be able to revoke access once somebody had it. The IDs probably aren’t random because at some point only the path is used. It’s how software evolves. It’s not on purpose that somebody may be able to guess the ID to gain access to it.